Skip to main content

Design philosophy

Project N.O.M.A.D. is designed to be open and available without hurdles. By design, it includes no built-in authentication. The intended use case is a local or private network server where the people accessing it are trusted. This means:
  • Anyone who can reach the server on the network can use it
  • There are no user accounts, passwords, or sessions to manage
  • No login screen stands between your users and the content
N.O.M.A.D. is not designed to be exposed directly to the public internet. We strongly advise against doing so unless you fully understand the risks and have taken appropriate network-level security measures.

Authentication

There is currently no authentication system. This is intentional — N.O.M.A.D. prioritizes accessibility over gatekeeping in its core use cases (offline survival computing, family/classroom use on a trusted LAN). Authentication may be added in the future if demand warrants it. A potential future implementation could support different permission levels — for example, parental controls for family use or teacher/admin accounts for classroom deployments. For now, use network-level controls to manage who can reach your instance.

Ports

N.O.M.A.D. exposes the following ports to the host by default:
PortServiceDescription
8080Command Center (admin)Main web interface for N.O.M.A.D.
9999DozzleContainer log viewer
As of v1.30, MySQL and Redis ports are not exposed to the host by default. These services communicate only within the internal Docker network. If you need to expose them for specific reasons, you can add port mappings manually to the Docker Compose configuration.

Dozzle security

Dozzle (the container log viewer on port 9999) runs with restricted defaults:
  • Shell access is disabled — no interactive container shells via the web UI
  • Container actions are disabled — users cannot stop or restart containers from Dozzle
These defaults were introduced in v1.30 based on community security recommendations. Because Dozzle has access to the Docker socket, enabling shell access would allow unauthenticated privilege escalation on a shared network.
Do not re-enable Dozzle shell or action features (DOZZLE_ENABLE_SHELL, DOZZLE_ENABLE_ACTIONS) unless you have restricted network access controls in place.

Path traversal and SSRF mitigations

As of v1.29, N.O.M.A.D. includes mitigations against path traversal and Server-Side Request Forgery (SSRF) attacks. These protect the API from being used to read arbitrary files from the server or make unintended outbound requests.

Recommendations

  • Run N.O.M.A.D. on a private network (home LAN, isolated VLAN, etc.)
  • Use firewall rules to control which devices can reach ports 8080 and 9999 — see Network Access for examples
  • Do not forward N.O.M.A.D. ports through your router to the public internet
  • Keep N.O.M.A.D. updated — updates regularly include security improvements